17
Jun 11

Court Favors Small Business in eBanking Fraud Case

facebooktwittergoogle_plusredditpinterestlinkedinmail

Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case.

Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000.

“A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” Duggan wrote. Judge Duggan has yet to decide how much Comerica will have to pay.

The problems for Experi-Metal started when company controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message said the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that appeared to be Comerica’s online banking site. Maslowski said the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates.

The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland.

Comerica became aware of the fraudulent transfers four hours after the attack began. Although it took steps to isolate Experi-Metal’s account, the bank also failed to stop more than a dozen additional fraudulent transfers from the company’s account after the bank’s initial response. Experi-Metal sued the bank after it refused to cover any of the losses.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers.

Michigan’s adoption of the Uniform Commercial Code means that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association’s Information Security Committee, said the court signaled early on that it would not consider whether Comerica’s security was commercially reasonable.

“The real focus here was the good faith requirement, [and] the burden to establish good faith was on Comerica according to the court,” Navetta said. “While the court did not find any evidence of intentional wrongdoing, it did focus on whether Comerica observed ‘reasonable commercial standards of fair dealing.’  It found that such commercial standards had not been met by the bank.”

But Navetta said the reasoning behind the court’s opinion was “a little confused,” noting that the court indicated that the bank had established commercially reasonable security, but that the court based its decision in part on the lack of fraud detection mechanisms employed by Comerica.

“In the Court’s view there should have been fraud detection mechanisms to detect and analyze various ‘risk factors,’ including: Prior wire transfer activity;  the length of EMI’s prior online banking sessions;  the pace at which payment orders were entered;  the destinations of the payment orders;  and the identity of the wire transfer beneficiaries,” Navetta said. “In my view, fraud detection mechanisms are a form of security, so this contradicts on some level the findings around commercially reasonable security, and I think makes the analysis confusing; where do the security measures end and the ‘good faith’ measures begin?”

The Comerica decision comes less than two weeks after a tentative decision in another widely watched cyber heist case — this one involving a $345,000 loss that stemmed from a similar attack on Sanford, Maine-based Patco Construction. Experts said the Patco decision, if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

But Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said she thinks the decision in the Comerica case could be a boon for victim organizations that have been hesitant about suing banks to recoup their losses.

“I think you’re going to see litigators more willing to take on these cases,” Castagnoli said.

Comerica’s lawyers say they are planning to appeal the decision. Comerica spokeswoman Kathleen A. Pitton said the bank’s security procedures were in compliance with those suggested by federal banking regulators.

“While we respect the judge’s opinion, Comerica believes it acted in good faith and plans to appeal,” Pitton said. “We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision.”

The decisions in this case and the Patco case are being made at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.

KrebsonSecurity will continue to follow and report on these and other cases. If cyber theft remains out of control and legislators are unwilling to deal with the problem, then litigation and case law will be the only way to resolve the liability issues.

A copy of the court’s opinion is available here (PDF).

Tags: , , , , ,

33 comments

  1. This sounds like an excellent decision from the article — I have not read the actual opinion.

  2. The Patco decision was quite disappointing, so it was a pleasure to read about EMI’s success in this litigation…though it is doubtless far from over.

    I can just imagine walking into the bank, handing a pile of forged transfer documents asking for what was done electronically, and being successful. We expect more from the experts that we deal with, regardless of the fine print.

  3. But if Maslowski hadn’t fallen for the phishing scheme none of the rest would have happened!

    • You may as well say: “If the bank hadn’t had similar communications in the past, none of the rest would have happened.” Or: “If the bank had the same type of monitoring as consumer accounts have (where they shut off or force a confirmation call), none of this would have happened.” Or: “If the bank had a proper training course for their software interface, none of this would have happened.”

      The bank should be expert enough to know two things:
      Variation on the Schneirer Law – Anyone can design a security or encryption system that they can’t break.
      The Fool’s Law: You can’t make something foolproof since fools can be so damn clever.

      It is a real pain for both of us, but my bank calls and asks for a verification fax whenever we do something remotely odd. Blame the victim and decry the nanny state all you want, but I bet the bank wouldn’t allow their own money to be treated the same way as their customer’s money was mistreated.

      • You could make those arguments all day long. My issue with this decision seems to be based upon (in part) the expert testimony of an individual with no background in payments fraud that testified that (in 2009) most banks were utilizing real time fraud scoring for wire transfers based on the history of the account, how quickly payments were originated, and my favorite, to identify russian ‘sounding’ names. I have been in banking for 14 yrs, not only did this technology not exist then, it barely exists now. If it did, somebody please tell me who. Also- Comerica deployed 2 factor authentication (token) at the time, which was fairly cutting edge for banks to do at the time. I’ll be curious to see how the appeal goes.

        • You are right Jim. I could make those arguments, and many more, all day long.

          Are you telling us that the legal team of the bank and their insurance company didn’t counter the testimony that you are pointing out? If they didn’t, then there will be nothing to complain about on that topic in the appeal. If they did counter it in the courtroom, then there will be nothing to complain about in that regard in the appeal.

          Organizations fail when they don’t put as much effort into quality control and training as they do in R&D and PR (and legal). The technology did exist 2 years ago to download Moodle and in 100 minutes create a course and knowledge base that everyone who expects to do electronic transfers has to study and pass 100% before getting a key.

          Instead they threw a technology out to a public known to fall for phishing scams and try to act surprised when they get caught out by scammers who mimicked a form that they used the previous year. Indefensible. Irresponsible. Not someplace that I would put my employee’s payroll funds.

          • CJ,

            First off, I believe both parties should split the loss. There needs to be an incentive for companies and municipalities to safeguard their IT infrastructure from these threats. Think about the employees that work for these victims, would you blame the bank if the company you work for fell victim to a phish and as as result, your personal information (think payroll stuff such as SSN, name, address, acct #) was compromised? I do believe the bank carries some responsibility here as well. However, based upon the merits of the arguments, I do take exception to the reason for the decision. That fraud scoring technology did not exist, and was not deployed by most banks at the time.

            Now, if the litigants had argued that the bank deployed this technology without training (which is a great point by you), that should have been argued, by I see no evidence that training was, or was not given to the customer. The other part that bothers me is that the individual that gave up his OTP on the phish-site, clearly did not get through to the bank website- he must have received an error. Why didn’t he pick up the phone and call? It’s pretty easy to play Monday morning QB in these cases.

            What I like about these forums are the ideas that generate and the good conversation and debate. Your idea about educating customers is excellent, and something most banks can probably do a much better job with, however, that’s a take-away for the future, and was not the reason Comerica lost.

            As far as comments with regard to why Comerica did not spot these, most of these wire systems are automated to process without operator intervention (for good or bad). Also, I would ask if one could also argue that the treasury missed these transactions, as all of these wires also flowed through the federal reserve system as well. We all need to work together, customers, banks, IT companies, there is no panacea and there never will be, it takes layers. BTW, if you would like to understand how the wire process works, who the different players are, and how systems operate, visit – http://www.fincen.gov/news_room/rp/files/cross_border.html

            • jt,

              I appreciate the link, and I appreciate what you are saying. I just want to go back to the original spectacle.

              I don’t want to be an expert in bank security. (I’m already forced to become an expert in plane and hotel reservations, and too many other things.) I want a service and I have expectations that my bank wouldn’t offer that service unless they can assure me that it is up to the standards that I trust them for.

              My bank charges me for the ability to do internet transactions. I exchange my money for their expertise.

              If I found out that thieves could steal my ID, find someone tall, dark and handsome to impersonate me, and with my ID clean out my account by asking a teller to send money to 90 people all over the world, I would be disappointed. If that same event is somehow OK in the virtual world, there is something wrong with the planet that fine print can’t fix.

              I further take exception to the person who called Mr. Maslowski an idiot. If the bank doesn’t take into account that they are selling their products to non-security trained personnel, then it is the bank who is the idiot and I hope the charges they receive cover a good insurance policy.

              When a case like this boils up to public view, there are always dozens which were settled out of court and hushed-up. Security by obscurity at its stupidest!

              I would go so far as to put some blame on the insurance company that the bank uses as well. They should be checking into the features that they are covering. They are specialists at staring at potential liabilities and figuring what the odds are that one will explode in their face. If the insurance company didn’t say: Hey! The majority of people wouldn’t know a URL roll-over from a thrust inverter, and many of them most aren’t trained at creating and keeping secure passwords. If you want to sell to these people without holding their hands and training them often and forcing them to read Krebs on Security every week, fork over some serious dosh because you’re going to be calling our number too often.

              So, I’ll agree. Split the loss. 50%/50% – bank and insurance company.

              • (Disclaimer: I’m not defending either the bank or the victim, that’s for courts to decide.)

                You’re offering some weighty arguments for someone who doesn’t want to be an expert in bank security.

                I’m curious what you would consider to be reasonable security?

                If you want a call back on every transfer that occurs, does the next person want that? Even if she does 100 of those a day? Overseas?

                By the way, the court docs and Brian’s article up above describe how a controller received an email with a link to a web site, both of which resembled Comerica’s usual stuff. That website accepted his username and (time-sensitive) security token. That information was presumably passed right into the Comerica site to do transfers. That attack is not surprising to those in the know, but it’s also not your typical run-of-the-mill grabbing of a username/password and running amok with it. Security tokens are a banking industry reasonable practice.

                I’m quite concerned by opinions like yours because it raises the bar to some ephemeral high place that just isn’t achievable until perfection is reached. You can take very secure procedures and they can be slipped through at some point. How good does this fraud protection have to be, for instance? Five transfers in 10 minutes? Above ordinary behavior? At some point someone is going to draw the analogy between malicious fraud detection and anti-virus software, including the weaknesses. :)

                Likewise, we always will come back to human mistakes by bank employess but also consumers who have an infinite number of use-cases, behaviors, and tolerances for cost of business (i.e. paying for the security) and inconvenience to themselves (i.e. annoyed when their legit activities are blocked by fraud detection).

                I recommend looking up some information on why individual consumers have guarantees by banks when fraud occurs, but businesses do not. It might make sense then why this situation occurs. (I believe it has to do with how one entity can manufacture fraudulent actions and then become dissolved or not be clear whom to punish, while another cannot. Additionally, this shifts the duty of protection to the business, not the bank. However, I’m not a lawyer…)

                You can blame insurers, sure, but they may also not be digital security experts. I’m not sure if you’ve seen the regulations and compliance items that banks need to meet, but they’re both good steps but also not ever going to achieve a level of security that an online expert can’t scoff at some part or other. This gets back to saying there is no security measure that someone somewhere won’t belittle as not good enough. That’s why we talk about “reasonable” and “industry acceptable” measures…

                PS: Please watch out in using the “security by obscurity” argument. If you want to get technical, passwords and most security anyway is some form of obscurity.

                • well, the anti-fraud measures you seem to think are impossible certainly seem to work fairly well when implemented on accounts for which the bank has liability. does someone want 100 calls per day for overseas transfers? I guess that really depends on the business. the purpose of the fraud detection systems is to identify aberrant behavior. surprisingly, if you throw enough resources at that problem (like the credit card companies have) it becomes much more tractable (as opposed to how hard it looks if you’re just yakking about it on a message board).

                  one reason that commercial accounts have less protections is the assumption that businesses have auditors and financial managers that can detect and respond to fraud on their own. in the context of small businesses and internet fraud that can irretrievably cause a business’s entire cash reserve to disappear instantly, this assumption seems misplaced.

                  if customers do get annoyed by real security measures, let them turn them off after explaining what they are doing (including waiving the bank’s liability, in an in-person transaction). but the default should be the secure setting, and the banks should be on the hook–they’re the ones who should have the expertise. it is in my mind farcical to argue that every consumer and business in the world should be an expert on avoiding fraud, but the banks should not.

                • Whao – slammed by an fictitious name person.

                  In theory, you are correct. All encryption and security is by obscurity. In reality, not so correct, just like most of your other complaints to my arguments.

                  Reasonable security in the virtual should be no less than that of the physical world. Why is that raising the bar to some ephemeral high place? My expectation of a bank is first, that they keep my money safe. Benefits and hassles are secondary to that fundamental.

                  You may say that you’re not defending the bank, but you are repeating their excuses, and justifying why the disappearance of a half-million dollars is OK. It isn’t OK. If the fine print is their excuse, that they ‘told you so’ in paragraph 18, sub d, then they should also have put a heading that says, “A half million dollars may flow out of your account and we won’t take responsibility if it is done electronically.”

                  I really don’t get your argument. Are you saying that insurance companies insure risk that they aren’t familiar with? that employee error mitigates the banks responsibility? that because the customer is part of a class of normal users who get phished, that the bank shouldn’t anticipate that and be responsible for a large percentage of users?

                  • I hate to say it, but it really sounds like you’re of the position that any loss at all is unacceptable and therefore security needs to be up that high. Or the bank needs to repay losses. Regardless of actions by the “victim?” I also think you’re blurring the distinctions between individual banking consumers and their protections with business banking customers and their unique positions.

                    Anyway, I didn’t say “all” encryption or security is by obscurity. I have no idea what you envision with how theory and reality differ.

                    You just said your expectation is that the bank keeps your money safe. How is that *not* an arbitrary bar? You’re familiar with the law term, “reasonable,” right?

                    Am I repeating the bank’s excuses? Perhaps, but that depends on what you’re specifically referring to and how you define “reasonable” security. If your problem is missing money, then why blame the bank or the victim at all? You should be railing on the cyber thieves just as much, if not more. Perhaps when the thieves are caught the victim can reclaim what was stolen? (Before someone gets annoyed at that argument, that’s made just to make a point, not to be a position I’d vehemently defend.)

                    I’m going to end up saying that our definitions of “reasonable” are definitely very different.

                    I also really think your expectations are strange…

                    PS: I didn’t slam you, as far as I know, but if I put my name as “John Smith,” would that make you feel better?

        • Jim,

          I agree with everything you are saying. However their appeal will not have a different result. The bank noticed the fraud reacted and still let more fraud pass through the account. As anyone who reads this site often can tell I defend the banks most of the time. Not this time. They had their chance and blew it. In my mind hear is what happened at that bank. Hey look fraud, oh look its time for lunch. They saw the fraud and did nothing about it. I mean your customer is trying to send 97 overseas wires in a few hours. Just the work behind sending an international wire should have made someone call the customer and ask do you really want to send money overseas. The above attitude is also why banks will continue to loos this type of case.

        • it certainly did exist, and has been used for many years for credit card transactions. the only reason the same sort of scoring wasn’t used used for commercial wire transactions is that the banks (thus far) have been able to force the losses onto their customers rather than having to eat them.

  4. When banks started moving branch banking operations like wire transfers online, traditional security controls like callback/faxback verification failed to follow.

    Expect to see this come back, but in updated form. :-)

    http://www.technologyreview.com/communications/26873/

  5. It’s web site makes EMI look like a large company that may well have overseas customers. Do banks like Comerica have employees that monitor wire transfers, especially ones leaving the country and near the 10K threshold?

  6. Keith Maslowski is an idiot. But, thank god for the justice system and Judge Patrick J. Duggan. amirite?

    Seriously, happy to see this verdict; but yes, a more all encompassing approach would be nice. Good write up.

  7. It’s not obvious we’ll ever get a Supreme Court case setting clear guidelines for cyber security cases.

    What’s far more likely is that the law will slowly evolve into a patchwork in different jurisdictions, and large corporate plaintiffs will go forum shopping a bit for the jurisdiction with the most favorable rules.

    We’ll see more cases as returns get more predictable, but there’s nothing explicitly stopping cyber security based pseudo products liability cases from occurring right now.

    There are a lot of folks who run small business websites which now serve malware to Google Image searchers. I’m waiting until one of them gets sued. I know we don’t want to scare all the average users off the internet, but maybe people should have a responsibility to take down their website if it’s infecting others. I’m not sure there’s a way to force anyone to do that without civil penalties.

  8. I commend Judge Patrick J. Duggan’s findings and hope more people in the judiciary follow his lead… it’s the only way that the bankers will improve.

  9. Thanks for the article, Brian. Admittedly, I am really green when it comes to matters like this, so it would have been interesting to sit in on this lawsuit to hear the two sides. My gut reaction is to side with small businesses against banks, but I also think that the people who run businesses, both small and big, have become too comfortable with electronic transactions and happily click anything that looks official. My first thought when reading this, however, was that an industry that can freeze my credit card after two questionable transactions can certainly expend more effort in investigating 97 wire transfers in a few minutes.

    • Your last sentence is dead on.

      The banking industry carefully scrutinizes consumer credit cards and acts quickly to halt abnormal transactions. It does this to protect itself; a bank is exposed to greater liability from consumer credit card fraud than they are from fraudulant internet banking transactions–particularly from business customers.

      Only by increasing the banks’ costs for accepting fraudulant internet transactions will it become financially responsible for them to invest in better internet fraud prevention mechanisms.

      • Heck our hometown association has a behavioral algorithm that works pretty good for personal exchanges, I can’t see why a bank couldn’t afford at least what we got. After all, I’m just talking about a hayseed bank out in the desert; surely most organizations could afford such a system.

        I’ve had some transactions stopped; and all I had to do was call them on the cell phone to free it up; I actually appreciated that, myself! It doesn’t happen often, but anytime I digress from the usual, it trips the alert.

  10. The outcome was tha morally correct one; however, the legal basis for the judgment is weak and is unlikely to significantly protect banking customers from fraud in the future.

    As written in the opinion “…to prevail, Comerica had to present evidence conveying the reasonable commercial standards of fair dealing applicable to a bank’s response to an incident like the one at issue here and to show, by a preponderance of the evidence, that its employees observed those standards in response to the criminal’s phishing attack on January 22, 2009. This Court finds that where the burden falls is dispositive in this matter because Comerica failed to present evidence sufficient to satisfy its burden.”

    Specifically, the court favored Experi-Metal because “Comerica was required to present evidence from which this Court could determine what the ‘reasonable commercial standards of fair dealing’ are for a bank responding to a phishing incident such as the one at issue and thus whether Comerica acted in observance of those standards. Comerica presented no such evidence and thus it has not satisfied its burden”

    Based on this opinion, it seems if Comerica could have presented evidence that the preponderance of the banking industry would have acted as they did, the court’s opinion could have been swayed.

    It would be better if a case would clearly state two-factor authentication and and fraud scoring/fraud screening (including mandatory validation of abnormal transactions) are minimum requirements for “reasonable commercial standards of fair dealing”.

  11. If someone tried to post 97 comments on Brian’s blog within the space of a few hours, I’m sure quite a few of them would be sitting awaiting moderation. It’s pretty standard procedure. You can’t tell me no one has thought about doing the same for unusual ACH transfers, not after all these expensive ZeuS debacles. The banks appear to have made a conscious decision *not* to take responsibility for allowing or blocking suspicious transactions.

    And just how useful is an authentication key if you only have to enter it once and it remains in effect for several hours and for dozens of transactions worth hundreds of thousands of dollars? If a new key had to be entered once the number or dollar amount of transactions reached a particular threshold, it would alert a customer that maybe things aren’t right. (And given how many of these things occur overnight, it might stop the whole process if the customer isn’t even sitting at his/her computer anymore. )

    If banks bear no risk of financial loss from these thefts but potentially risk litigation for interfering with valid financial transactions, they are going to err on the side of allowing transactions to proceed, every time. The risk has to be more balanced.

    This ruling isn’t necessarily a victory for litigants with malware-infected computers. The judge didn’t rule the victim is going to get *all* the money back. In fact, he may only award damages for the transactions that occurred after the victim contacted the bank. (What kind of bank makes the customer responsible for losses even after notifying them of fraud?)

    I haven’t heard details of the phishing email or the details of what the bank’s usual emails look like. I haven’t heard what browser its customers are required to use to access online banking and whether it would be inherently vulnerable to a drive-by download on the phishing site. I haven’t heard whether the ZeuS was installed on the computer first — giving the criminals all the information they needed for a convincing spearphishing attack, or even allowing them to modify the hosts file (so the victim might have seen the correct URL in the browser yet been interacting with a server at a different IP address). I’m certainly not ready to decide who, if anyone, is an “idiot” from the data we’ve been given.

  12. OK, so we got one legal decision going one way, and another one going the exact opposite way.

    Just another day in the eff’ed up US legal system. Par for the course. But then as the guy with the dark glasses says in “Oh Brother Where Art Thou?” (quote) “The Law is a HUMAN institution…” (snicker)

    So anyway, ignoring that for a moment, all I really wanted to say … or rather ask about… is… ah… commercial insurance. We’ve been seeing quite a lot of hacking incidents in the press of late, and it has made me wonder… Can companies insure themselves against the costs associated with these sorts of incidents? DO companies insure themselves against the costs of these kinds of incidents? For example, was the (losing) bank in this case insured for this loss? If not why not? Is it even possible to get “cyber incident insurance”? If not, why not?

    Just a few moments ago I read over on TheRegister about the unbelievable level of idiocy that explains the recent Citibank mass data compromise. And frankly, as a professional software engineer it makes me just want to puke. Obviously, *nobody* with any brains ever reviewed the code or the design decisions that went into Citibank’s web site, _or_ into Comerica’s anti-fraud procedures. So we need to ask the obvious question: Why not?

    I contend that nitwit f**k ups like this occur, in part, because there probably does not currently exist such things as insurance policies that would reimburse for incidents like these… like the Citibank break in and the Comerica screwup. I deduce that because what little I know about insurance companies leads me to believe that they are VERY attuned to risk, risk factors, and reducing risk, especially on things they have insured. So if Citibank’s web site operation had been insured, then at the very least some insurance inspector might have taken a look at it (sometime BEFORE it had been compromised) and said “Oh s**t! No, this just won’t do. Time for a re-write boys!” And likewise also for whatever procedure manual that had been passing for Comerica’s fraud prevention manual.

    OK, so tell me… Am I just crazy? Or is “cyber insurance” the way out of this horrendous mess that so many businesses… from Sony to PBS… seem to be finding themselves in these days?

      • hehe… I definitely missed seeing those. So thanks Alpha! Serves me right for not having read every last one of Brian’s columns over the past couple of years.

        So anyway, great minds think alike. In this case I just came to the realization about a year later than Brian had already written about it.

        One thing that’s not covered in Brian’s stories: How come the insurance companies involved in those incidents were not doing the kinds of “inspections” that might have prevented these incidents from occurring? (Or perhaps the good/better ones do, and thus, in those cases, there is never any sad story for Brian to write about, eh?)

        • I don’t know about any preventative-health types of inspections. After all, I don’t know that insurers conduct on-site inspections of companies they insure for fire or other casualties, either.

          However, the online application I looked at for one policy had a list of very specific questions about the applicant company’s security policies. I assume that if the company suffered a loss due to a cyber-debacle and an investigation showed they had falsely claimed on their application that they had security policies in effect that they did not, then the insurer could deny their claim.

          Answering the questions would be a useful exercise for a company to go through whether it invested in insurance or not, though.

    • Maybe somebody can correct me but I think it was places like AIG that provided some modicum of business insurance for places like CitiBank, and we all saw what happened to them.

      As far as small business accounts, I am not aware of ANY requirement in any state for insurance on small business(or otherwise) bank accounts.

      There is FDIC for personal accounts up to $100,000 of course, but that is it. Savings an loans have a thing like FSLIC(don’t remember the name) that does the same thing only for personal accounts(debit cards not included).

  13. What strikes me as the real crux of this is the lack of any activity on the back-office side to prevent the transactions from going out the door. Forget that the customer fell victim to phishing. Let’s pretend the fraudsters got lucky and guessed his ID.

    The bank should still have had transaction limits in place for the customer. A number of transactions per day, a dollar amount limit, and an ACH calendar stating on which days this customer expects to send out transactions. And that’s just the minimum. I am a banker, and these things are required of our customers. Anything out of the ordinary throws an exception, and we contact the customer prior to releasing any money. If we don’t get ahold of them, the money doesn’t leave. Better to inconvenience the customer than lose his money any day.

    We also require dual control and tokens on all online transactions, and we require out-of-band verification on others. Right now, we are considering implementation of secure USB solutions to create secure tunnels for online banking. We would then restrict any user with online payments access (ACH and wires, not bill pay) to only log in from the IP addresses associated with the secure browser’s proxy. A customer logs in from any browser other than their tunnel, and they don’t get in. The USB virtual machines even use the DNS servers located in the company’s datacenter, so we can be assured that there hasn’t been any DNS tampering.

    The browsers are also locked to only go to whitelisted sites, as well, so we can ensure our customers are not inadvertently infecting their browser before visiting our site.

    This is the new definition of reasonable security, people. This, coupled with analytics which scan every transaction prior to it being sent out for breaks in the customer’s use patterns should create enough of an obstacle for the fraudsters that they seek their quarry elsewhere.

    And that is all you can hope for. That you make it hard enough for the bad guys that it isn’t worth their time to fight you for it.

    • Yar,
      I want to bank with you. You sound like one who is working hard to take care of customers rather than laying blame. Customers can be better, but I’m glad to hear that at least one banker professes a healthy dose of accountabilityas well.

    • I second the prior comment. I want to bank with you!

      I have an account @ schwab and although they never volunteered the information, when I asked whether or not they offered those little keychain cryptographic extra-level-of-security dohickies, thankfully they said yes. The protection you get with these *isn’t* absolute or iron-clad… a very clever infection on the machine you log in from could still interpose itself between your keyboard and the bank’s web server (and clean you out), but barring that sort of thing, this is really the best sort of protection going. (Well, at least the Verisign ones are… as y’all may have heard, RSA had a wee bit of a problem with their’s recently.)

      So anyway, when I was in my regular bank not long ago, I started telling them that I’m a software engineer, and that I actually _do_ know a bit about this stuff, and that it would be great if they would give me one of these dohickies also for my account with them (a smallish community bank in Norther California). They knew exactly what I was talking about, HOWEVER they said that they only give those out for *business* accounts.
      Crap! I call that penny wise and pound foolish on their part. I even offered to PAY them for this extra level of service, but they still haven’t gotten back to me about that. :-(

  14. ChesterCheetah

    BUMP! Given the topic, I thought this article would be of interest …

    http://moneyland.time.com/2011/06/28/is-your-bank-failing-at-security/#ixzz1QgGQt0nN